Four More Collections, 700 Million Stolen Passwords Discovered

Researchers say that four more collections of stolen passwords contain more than 2 billion records and hundreds of millions of unique passwords, according to reports.

Researchers from security firms and universities in the U.S. and Europe say they have poured over more than 800 Gigabytes of stolen account credentials and identified 25 billion stolen records and some 700 million unique user names and passwords they have called “Collections 2 through 5.”

Wired reports that researchers at the IoT startup Phosphorus.io and researchers at the Hasso-Plattner Institut at Germany’s University of Potsdam have analyzed the data troves and added them to collections of other stolen user credentials. This, after Australian researcher Troy Hunt, who publicized a massive trove of billions of stolen data known as “Collection 1,” called attention to the data troves more than two weeks ago.

As Hunt told me on a recent Security Ledger Podcast, Collection 1 was just the tip of a very large iceberg of stolen or leaked data including user IDs, emails and passwords. “At the end of the day, if its just an amalgamation of of individual incidents, who knows how many more there are out there,” Hunt told The Security Ledger. The data in that collection is an amalgamation of earlier breaches, some – like the breach of 000webhost – were already circulating.

Hunt said the data in Collections 2 through 5 was referred to him by online sources after he publicized Collection 1 in January. He said he acquired the new collections after “dozens of individuals” had sent him links to the additional “collections” soon after he had published a blog post noting that he had integrated the Collection 1 data.

Reports by Heise and Wired now reveal that the added collections contained more than 800 gigabytes of files containing more stolen credentials. Moreover, Hasso-Plattner Institut analysis suggests that there is little overlap between the data in Hunt’s Collection 1 and the data in Collections 2-5.

Still, it is likely that many of the leaked passwords won’t be unique. In fact, Collection 1 contained just 21 million unique passwords out of more than 770 million leaked records. Like Collection 1, the new collections contain stolen data from previous breaches including the Yahoo and LinkedIn breaches. Much of that will already be known.

770 million records…just 21 million unique passwords

“It tells you…how bad the password choices are,” he told Security Ledger. “You have multiple people choosing the same password like QWERTY or other very easy to guess passwords.”

“It’s almost like we’re exhausting the characters space of commonly used passwords and new incidents aren’t showing us a lot in the way of new passwords,” he said.

He said the solution for leaked passwords was for data owners to spend more time and resources securing web applications as well as cloud-based resources like Amazon cloud storage containers. Given that, encrypting sensitive data like passwords can keep them from falling into the hands of criminals after they are leaked.

Finally, users have to stop reusing passwords. “This is only newsworthy because people re-use passwords,” he said. Maintaining strong and unique passwords for every site would make leaked password collections like this meaningless as each set of credentials would only work on a single site.

Author: PaulI'm an experienced writer, reporter and industry analyst with a decade of experience covering IT security, cyber security and hacking, and a fascination with the fast-emerging "Internet of Things."